Data Retention Policy
Effective Date: July 27, 2025
Purpose
This Data Retention Policy explains how long SlammedTracker retains your personal information and data, and the criteria we use for determining retention periods. This policy helps ensure we keep your data only as long as necessary and in compliance with applicable laws including GDPR, CCPA, and other privacy regulations.
Retention Periods by Data Type
| Data Type | Retention Period | Reason | After Deletion |
|---|---|---|---|
| Account Information Username, email, profile data |
Until account deletion + 30 days | Service provision, account recovery | Permanently deleted from all systems |
| Vehicle Data Make, model, year, specifications |
Until account deletion + 30 days | Core service functionality | Permanently deleted from all systems |
| Expense Records Maintenance costs, fuel, repairs |
Until account deletion + 30 days | Financial tracking, service provision | Permanently deleted from all systems |
| Photos & Documents Vehicle images, receipts |
Until account deletion + 30 days | Service functionality, user reference | Permanently deleted from storage |
| Session Data Login sessions, cookies |
30 days after last activity | Security, session management | Automatically purged |
| Security Logs Login attempts, IP addresses |
90 days | Security monitoring, fraud prevention | Automatically deleted |
| Analytics Data Usage patterns, performance |
24 months | Service improvement, analytics | Aggregated data may be retained |
| Support Communications Email tickets, chat logs |
3 years | Customer service, legal compliance | Archived, then permanently deleted |
| Financial Records Billing history, transactions |
7 years | Legal, tax, accounting requirements | Securely archived, then deleted |
| Legal Hold Data Data subject to legal proceedings |
Until legal matter resolved | Legal compliance | Normal retention rules apply |
Retention Criteria
We determine retention periods based on several factors:
Legal Requirements
- Statutory retention periods
- Tax and accounting regulations
- Data protection laws
- Industry-specific requirements
Business Needs
- Service provision requirements
- Customer support needs
- Security and fraud prevention
- Analytics and improvement
Security Considerations
- Incident investigation needs
- Audit trail requirements
- Compliance monitoring
- Risk management
User expectations
- Data availability for service use
- Account recovery capabilities
- Historical data access
- Export and portability needs
Account Deletion Process
Standard Account Deletion
- Deletion Request: You request account deletion through settings or support
- Grace Period: 30-day period to change your mind and reactivate
- Data Export: Option to download your data during grace period
- Permanent Deletion: After 30 days, all personal data is permanently deleted
Immediate Deletion Requests
Under certain circumstances, you may request immediate deletion:
- Privacy law requirements (GDPR, CCPA, etc.)
- Security or safety concerns
- Account compromise
- Legal or regulatory requirements
Data Storage and Backup
Active Storage
- Production Systems: Data actively used by the service
- Caching Systems: Temporary data for performance (up to 24 hours)
- Search Indexes: Searchable data copies (synchronized with production)
- Content Delivery Networks: Cached static content (automatically updated)
Backup Systems
- Daily Backups: Retained for 30 days
- Weekly Backups: Retained for 12 weeks
- Monthly Backups: Retained for 12 months
- Annual Backups: Retained for 3 years (for compliance purposes only)
Backup Deletion Process
When you delete your account:
- Your data is immediately marked for deletion in production systems
- Backup systems are purged of your data within 90 days
- Encrypted backups make individual data extraction technically impossible
- All backup retention periods are overridden for deleted accounts
Automated Data Management
Automated Deletion Systems
- Daily Cleanup: Expired sessions and temporary data
- Weekly Cleanup: Old security logs and analytics data past retention
- Monthly Reviews: Account deletion grace periods and backup purging
- Quarterly Audits: Comprehensive retention policy compliance review
Data Lifecycle Management
| Lifecycle Stage | Data Location | Access Level | Retention Action |
|---|---|---|---|
| Active | Production databases | Full user access | Normal retention rules |
| Inactive (90+ days) | Production databases | Full user access | Compression, cold storage |
| Grace Period | Secure deletion queue | Limited recovery access | 30-day deletion countdown |
| Deleted | Backup systems only | No access | 90-day backup purge |
Data Location and Jurisdiction
Primary Data Centers
- United States: Primary hosting location (AWS/Azure)
- European Union: EU user data (GDPR compliance)
- Canada: Disaster recovery and backup location
Data Transfer and Processing
Cross-Border Transfers
- Adequate safeguards in place
- Standard contractual clauses
- Data Processing Agreements
- Regular compliance audits
Local Compliance
- GDPR (European Union)
- CCPA (California)
- PIPEDA (Canada)
- Local data protection laws
Data Security During Retention
Security Measures
- Encryption at Rest: AES-256 encryption for all stored data
- Encryption in Transit: TLS 1.3 for all data transfers
- Access Controls: Role-based access with minimum necessary principles
- Audit Logging: Comprehensive logging of all data access
- Regular Security Reviews: Quarterly security assessments
Secure Deletion Process
Multi-Stage Deletion
- Stage 1: Logical deletion - data marked as deleted
- Stage 2: Physical deletion - data overwritten with random data
- Stage 3: Cryptographic deletion - encryption keys destroyed
- Stage 4: Verification - deletion confirmed and documented
Your Data Rights
Access and Control
- Data Access: View all data we have about you
- Data Export: Download your data in portable formats
- Data Correction: Update incorrect or outdated information
- Data Deletion: Request immediate deletion of your account
- Processing Restriction: Limit how we process your data
- Data Portability: Transfer your data to another service
Exercising Your Rights
Self-Service Options
- Account Settings dashboard
- Data export tools
- Privacy preference center
- Account deletion option
Support Requests
- Email: privacy@jtworx.com
- Response time: Within 30 days
- Identity verification required
- Free of charge
Exceptions to Retention Periods
Legal Hold
- Data subject to legal proceedings may be retained longer
- Law enforcement requests may extend retention
- Regulatory investigations can override deletion schedules
- Court orders take precedence over retention policies
Technical Limitations
Important Technical Notes
- Encrypted backups may contain deleted data until backup rotation
- Search indexes may temporarily cache deleted information
- CDN caches may retain public content until expiration
- Log files may contain references to deleted data
Business Continuity
- Aggregated analytics data may be retained longer
- De-identified data used for service improvement
- Security incident data may have extended retention
- Compliance records maintained as required by law
Compliance and Monitoring
Regular Audits
- Monthly: Automated retention compliance checks
- Quarterly: Manual review of retention policies
- Annually: Comprehensive third-party audit
- As Needed: Incident-triggered reviews
Compliance Reporting
| Report Type | Frequency | Scope | Audience |
|---|---|---|---|
| Retention Metrics | Monthly | Data volumes, deletion rates | Internal management |
| Compliance Status | Quarterly | Policy adherence, exceptions | Legal and compliance teams |
| Transparency Report | Annually | User requests, deletions | Public (summary) |
| Audit Results | As needed | Full retention practices | Regulators, auditors |
Policy Updates
This Data Retention Policy may be updated to reflect:
- Changes in applicable laws and regulations
- New data types or service features
- Improvements in data management technology
- Feedback from users and regulators
- Results from compliance audits
Update Process
How We Notify You
- Major Changes: 30 days advance notice via email
- Minor Updates: In-app notification and policy page update
- Emergency Changes: Immediate notification with explanation
- All Changes: Updated effective date and version history
Contact Us
If you have questions about our data retention practices or this policy:
General Questions:
Email: privacy@jtworx.com
Response: Within 48 hours
Data Deletion Requests:
Email: privacy@jtworx.com
Response: Within 30 days
Data Protection Officer: For complex privacy matters or regulatory compliance questions, our Data Protection Officer is available at dpo@jtworx.com